Embed Size (px)
Citation preview
Canadian Anti-SPAM Legislation
February 25, 2014
Introductions and Outline
• Canada Anti-SPAM Legislation (CASL) • Commercial Electronic Messages• Spyware / Malware• Penalties and enforcement • What do we do now?
CASL - Scope
• Three broad prohibitions:• SPAM
> Commercial electronic messages require consent
• Malware> Illegal to install any computer program without express
consent and means to remove
• Spyware> Illegal to install program that transmits data without express
consent and means to remove
CASL – Scope
• Three additional prohibitions:• Message routing
> Illegal to alter transmission data or to rout a message to unintended destination
• Misrepresentations> Illegal to make false or misleading representations
in headers, subject lines, etc.
• Automatic collection> Illegal to automatically collect electronic addresses
What is “SPAM”?
What is “SPAM”?
• Unsolicited commercial electronic message
• Reasonable to conclude that one of the purposes is to encourage the recipient to engage in commercial activities
Commercial Electronic Messages
• s. 6 Prohibits sending a commercial electronic message to an electronic address unless: • Recipient has consented – express, opt-in or
defined “implied consent” category
and• Conforms with prescribed requirements
> Identifies sender and contact information> Unsubscribe mechanism (including www site)
Unsubscribe
Complete Exclusions
• Personal or family relationship• Enquiry or application • Closed messaging systems• Fundraising messages from registered charities• Telco in providing transmission services• Enforce a legal right or due to legal obligation• Intra-organization • Inter-organization (if existing relationship)
Consent
• Express consent• Purpose • Identification of person seeking consent
• Implied consent• Existing business relationship or non B-R• Published electronic address without
disclaimer and related to capacity of recipient
• Referrals
“Existing Business Relationship”
• Implied consent where • Engaged in commercial activity • Existing written contract
within previous 2 years
“Non-Business Relationship”
• Implied consent if• Made donation, gift, provided volunteer work,
member • Prescribed by regulations• In past 2 years
Consent Exclusions
• Quote responding to request• Completes or confirms transaction• Provides warranty, recall or safety info• Provides factual info about ongoing use• Provides employment info• Delivers a product (incl. upgrades)
requested
Jurisdiction and Onus
• S. 6 prohibitions - CEM• If message sent or received in Canada
• Person alleging consent has onus of proof• The “problem” of proof
Competition Act
• CASL adds to existing Competition Act provisions prohibiting false or misleading representations to promote a business interest of the supply or use of a product
• Numbering of Competition Act amendments is particularly confusing
• Investigation/enforcement by Competition Bureau• Bureau has sought and obtained sizeable fines in the
past for deceptive marketing practices• e.g. $10m fine against Rogers for alleged misleading
advertising
Competition Act new s. 74.011 and s. 52.01
• prohibits representation that is false or misleading in a material respect in electronic message
• prohibits false or misleading representation in• sender information in electronic message• subject matter information in electronic message• locater
• look at general impression and literal meaning• only first prohibition states “in a material respect”• no “to the public” concept• no concept of exception for consent or existing business
relationship
Competition Act: Discussion Examples
• Subject Matter Information• Fly Ottawa to Calgary for $299 return• Lose 20 Pounds in 3 Weeks• Our best sale of the year• Exclusive Upgrade Offer
• Aggressive e-mail subject matter language poses risk to senders
Practical Issues
• Are any existing consents still valid?
• How to get fresh consent
• Information management: • what data / proof is required• managing exclusions (i.e. business relationship)
• Message format compliance
• Vicarious liability
Enforcement
• Regulatory agencies:• CRTC• Competition Bureau• OPC
• Spam Reporting Centre
• 2017: Private Right of Action
CRTC Enforcement Tools
• Purpose of the legislation is to promote compliance, not punish
• Education will play a significant role, particularly in the early stages
• Range of regulatory tools• Letters of warning (not provided for in legislation)• Administrative Monetary Penalties (AMPs)• Undertakings (similar to consent agreements under
the Competition Act)• Notice of Violation
CRTC Enforcement Powers: AMPs
• Section 20
• Persons who contravene sections 6 to 9 are liable to pay AMPs
• Similar to scheme for violations of the Unsolicited Telecommunications Rules (including the Do-Not-Call-List provisions) under the Telecommunications Act
CRTC Enforcement Powers: AMPs
• Maximum penalty is $1M in the case of an individual and $10M for any other person such as a corporation
• Factors in determining amount include:• Purpose of penalty• Nature and scope of violation• History of previous violations • Financial benefits of the violation• Ability to pay• Whether voluntary compensation made
CRTC Enforcement Powers: Undertakings
• Target can enter into undertakings with the designated person
• No Notice of Violation (and hence AMPs) may be issued if undertaking entered into and any existing notice of violation is extinguished to the extent of the undertaking
• Undertakings may include conditions and a requirement to pay a specified amount
CRTC Enforcement Powers: Notices of Violation
• Limitation period: 3 years• Mandatory information set out in ss. 22(2)• Target has 30 days to make representations to
CRTC• If: (1) penalty is paid or (2) penalty is not paid
and no representations are made, target is deemed to have committed the violation
CRTC Enforcement Powers: Notices of Violation
• No liability if due diligence demonstrated• Common law defences apply to any violation• If representations are made, CRTC must decide
whether target committed the violation and, if so, can confirm, reduce or waive the penalty, or can suspend payment of the penalty subject to conditions
• CRTC may also issue an order directing target to cease contravening the provision(s) – s.26
Private Right of Action
2017: “Lights go out on Broadway”
•Persons affected can apply for compensation to a court of competent jurisdiction•Compensation:
• Actual damages• Statutory damages
> $200 per contravention of Section 6, not exceeding $1M per day
> $1M/day for contraventions of Sections 7 and 8> Same maximum amounts for person who aids or abets
contrary to section 9
Private Right of Action
• Statutory damages not available if undertaking or notice of violation has been issued
• Conversely, once private right of action is commenced, no undertaking or notice of violation can be made
• Due diligence and common law defences available
• Class actions ???
What do we do now?
What do we do now?
1. Assess your electronic communications
2. Do you have consent?
3. Identify exclusions
4. Data management: assess and establish systems to manage and preserve records
5. Prepare unsubscribe mechanisms
What to do cont’d…
6. Obtain consents required
7. Format CEMs
8. Content oversight
9. Staff education
10.Review and audit
Questions?
Discussion?
